1. Advanced persistent threats: how they work. https://www.symantec.com/theme. jsp?themeid=apt-infographic-1

2. APT [Advanced Persistent Threat]. http://www.trendmicro.com/vinfo/us/ security/definition/advanced-persistent-threat

3. bochs: The open source IA-32 emulation project. http://bochs.sourceforge.net4. Darwins favorite APT group. https://www.fireeye.com/blog/threat-research/ 2014/09/darwins-favorite-apt-group-2.html

5. Malwr - malware analysis by cuckoo sandbox. https://malwr.com/

6. The mystery of the encrypted gauss payload. https://securelist.com/the-mystery of-the-encrypted-gauss-payload-5/33561/

7. NVMTrace: Proof-of-concept automated baremetal malware analysis framework. https://code.google.com/p/nvmtrace/

8. Oracle VM VirtualBox. https://www.virtualbox.org

9. Public key pinning extension for http. https://tools.ietf.org/html/rfc7469

10. VMware. http://www.vmware.com/11. Detecting android sandboxes (2012). http://www.dexlabs.org/blog/btdetect12. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Engin, K., Vigna, G.: Effi-

cient detection of split personalities in malware. In: Proceedings of the Symposium on Network and Distributed System Security, ser. NDSS 2010 (2010)

13. Barbosa, G.N., Branco, R.R.: Prevalent characteristics in modern malware (2014). https://www.blackhat.com/docs/us-14/materials/us-14-Branco-Prevalent-

Characteristics-In-Modern-Malware.pdf

14. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164-177 (2003)

15. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, ser. LEET 2009, p. 8 (2009)

16. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of the Symposium on Network and Distributed System Security, ser. NDSS 2009 (2009)

17. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC 2005, p. 41 (2005)

18. Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies (2012). http:// research.dissect.pe/docs/blackhat2012-paper.pdf

19. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)

Evasive Malware via Identifier Implanting 181

20. Candid, W.: Does malware still detect virtual machines? (2014). https://www. symantec.com/connect/blogs/does-malware-still-detect-virtual-machines

21. Carsten, W., Ralf, H., Thorsten, H.: CXPInspector: Hypervisor-Based, Hardware-

Assisted System Monitoring (2012)

22. Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceed ings of the 38th Annual IEEE International Conference on Dependable Systems and Networks, ser. DSN 2008, pp. 177-186 (2008)

23. Chengyu, S., Paul, R., Wenke, L.: Impeding automated malware analysis with environment-sensitive malware. In: Proceedings of the 7th USENIX Conference on Hot Topics in Security, ser. HotSec 2012 (2012)

24. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hard ware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, ser. CCS 2008, pp. 51-62 (2008)

25. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1-6:42 (2008)

26. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319-335. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827 19

27. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not trans parency: VMM detection myths and realities. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, ser. HOTOS 2007, pp. 6:1-6:6 (2007)

28. Hao, S., Abdulla, A., Jelena, M.: Cardinal pill testing of system virtual machines. In: Proceedings of the 23rd USENIX Security Symposium (2014)

29. Ishimaru, S.: Why corrupted (?) samples in recent APT? case of Japan and Taiwan. https://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R1 %201500%20why%20corrupted%20samples%20in%20recent%20apt.pdf

30. Jing, Y., Zhao, Z., Ahn, G.-J., Hu, H.: Morpheus: automatically generating heuris tics to detect android emulators. In: Proceedings of the 30th Annual Computer Security Applications Conference, ser. ACSAC 2014 (2014)

31. Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, ser. S&P 2012, pp. 413-427 (2012)

32. Jung, P.: Bypassing sandboxes for fun. https://www.botconf.eu/wp-content/ uploads/2014/12/2014-2.7-Bypassing-Sandboxes-for-Fun.pdf

33. Kirat, D., Vigna, G., Kruegel, C.: BareCloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Security Symposium (2014)

34. Kirati, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare metal. In: Proceedings of the 27th Annual Computer Security Applications Con ference, ser. ACSAC 2011, pp. 403-412 (2011)

35. Kruegel, C.: Evasive malware exposed and deconstructed (2015). https://www. rsaconference.com/writable/presentations/file upload/crwd-t08-evasive-malware exposed-and-deconstructed.pdf

36. Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: Access-

Miner: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, ser. CCS 2010 (2010)

182 R. Tanabe et al.

37. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338-357. Springer, Heidelberg (2011). https://doi.org/10. 1007/978-3-642-23644-0 18

38. Bordoni, L., Conti, M., Spolaor, R.: Mirage: toward a stealthier and modular mal ware analysis sandbox for android. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 278-296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6 17

39. Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why android malware cannot be stopped. In: Proceedings of the 9th International Conference on Avail ability, Reliability and Security, ser. ARES 2014 (2014)

40. Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, ser. ISSTA 2009, pp. 261-272 (2009)

41. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy, ser. S&P 2007 (2007)

42. Najmeh, M., Mahathi, P.A., Nick, N., Michalis, P.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: Proceedings of the 38th IEEE Symposium on Security and Privacy, ser. S&P 2017 (2017)

43. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware's failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Secu rity Applications Conference, ser. ACSAC 2011 (2011)

44. Nikiforakis, N., Joosen, W., Livshits, B.: Privaricator: deceiving fingerprinters with little white lies. In: Proceedings of the 24th International Conference on World Wide Web, ser. WWW 2015, pp. 820-830 (2015)

45. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, ser. WOOT 2009 (2009)

46. Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security, ser. EUROSEC 2011, pp. 3:1-3:6 (2011)

47. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the 7th European Workshop on System Security, ser. EUROSEC 2014 (2014)

48. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1-18. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75496-1 1

49. Rieck, K., Schwenk, G., Limmer, T., Holz, T., Laskov, P.: Botzilla: detecting the phoning home of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing, ser. SAC 2010, pp. 1978-1984 (2010)

50. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behav ior using machine learning. J. Comput. Sec. 19(4), 639-668 (2011)

51. Rossow, C., Dietrich, C.J., Bos, H.: Large-scale analysis of malware downloaders. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, ser. DIMVA 2012 (2012)

52. Rutkowska, J.: Red pill... or how to detect VMM using (almost) one CPU instruc tion (2004). http://www.securiteam.com/securityreviews/6Z00H20BQS.htmlEvasive Malware via Identifier Implanting 183

53. Shinotsuka, H.: Malware authors using new techniques to evade auto mated threat analysis systems (2012). http://www.symantec.com/connect/blogs/ malware-authors-using-new-techniques-evade-automated-threat-analysis-systems

54. Simone, M., Yanick, F., Antonio, B., Luca, I., Jacopo, C., Dhilung, K., Christopher, K., Giovanni, V.: Baredroid: large-scale analysis of android apps on real devices. In: Proceedings of the 31st Annual Computer Security Applications Conference, ser. ACSAC 2015 (2015)

55. Singh A., Khalid, Y.: Don't click the left mouse button: introducing trojan upclicker (2012). https://www.fireeye.com/blog/threat-research/2012/12/dont click-the-left-mouse-button-trojan-upclicker.html

56. Singh, A., Bu, Z.: Hot knives through butter: evading file-based sandboxes (2013). https://media.blackhat.com/us-13/US-13-Singh-Hot-Knives-Through-Butter-

Evading-File-based-Sandboxes-WP.pdf

57. Sun, M.K., Lin, M.J., Chang, M., Laih, C.S., Lin, H.T.: Malware virtualization resistant behavior detection. In: Proceedings of the 17th IEEE International Con ference on Parallel and Distributed Systems, ser. ICPADS 2011, pp. 912-917 (2011)

58. Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 27th IEEE Symposium on Security and Privacy, ser. S&P'06, pp. 264-279 (2006)

59. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Com munications Security, ser. ASIA CCS 2014 (2014)

60. Yokoyama, A., et al.: SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Monrose, F., Dacier, M., Blanc, G., Garcia-

Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 165-187. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2 8

61. Yoshioka, K., Hosobuchi, Y., Orii, T., Matsumoto, T.: Your sandbox is blinded : Impact of decoy injection to public malware analysis systems. J. Inf. Process. 52(3), 1144-1159 (2011)

184 R. Tanabe et al.

Open Access This chapter is licensed under the terms of the Creative Commons

Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits use, sharing, adaptation, distribution and reproduction in any medium

or format, as long as you give appropriate credit to the original author(s) and the

source, provide a link to the Creative Commons license and indicate if changes were

made. The images or other third party material in this chapter are included in the chapter's

Creative Commons license, unless indicated otherwise in a credit line to the material. If

material is not included in the chapter's Creative Commons license and your intended

use is not permitted by statutory regulation or exceeds the permitted use, you will

need to obtain permission directly from the copyright holder.